CVE-2025-59163
CVE-2025-59163 is a low-severity vulnerability with a CVSS 4.0 base score of 2.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-350.
Key facts
- Severity: Low (CVSS 4.0 base score 2.1)
- EPSS exploit prediction: 0% (30th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-31583
- Weakness: CWE-350
- Published:
- Last modified:
Description
vet is an open source software supply chain security tool. Versions 1.12.4 and below are vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation. Data from the vet scan sqlite3 database may be exposed to remote attackers when vet is used as an MCP server in SSE mode with default ports through the sqlite3 query MCP tool. This issue is fixed in version 1.12.5.
Frequently asked questions
- What is CVE-2025-59163?
- vet is an open source software supply chain security tool. Versions 1.12.4 and below are vulnerable to a DNS rebinding attack due to lack of HTTP Host and Origin header validation. Data from the vet scan sqlite3 database may be exposed to remote attackers when vet is used as an MCP server in SSE mode with default ports through the sqlite3 query MCP tool. This issue is fixed in version 1.12.5.
- How severe is CVE-2025-59163?
- CVE-2025-59163 has a CVSS 4.0 base score of 2.1, rated low severity.
- Is CVE-2025-59163 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (30th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2025-59163?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2025-59163 have an EU (EUVD) identifier?
- Yes. CVE-2025-59163 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-31583.
- When was CVE-2025-59163 published?
- CVE-2025-59163 was published on 2025-09-29 and last updated on 2026-06-17.
References
- https://github.com/safedep/vet/commit/0ae3560ba11846375812377299fe078d45cc3d48
- https://github.com/safedep/vet/releases/tag/v1.12.5
- https://github.com/safedep/vet/security/advisories/GHSA-6q9c-m9fr-865m
Other CWE-350 vulnerabilities
- CVE-2026-1490 — Critical (CVSS 9.8): The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary…
- CVE-2023-52235 — High (CVSS 8.8): SpaceX Starlink Wi-Fi router GEN 2 before 2023.53.0 and Starlink Dish before 07dd2798-ff15-4722-a9ee-de28928aed34 allow…
- CVE-2025-8036 — High (CVSS 8.1): Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS…
- CVE-2026-33002 — High (CVSS 7.5): Jenkins 2.442 through 2.554 (both inclusive), LTS 2.426.3 through LTS 2.541.2 (both inclusive) performs origin…
- CVE-2021-34561 — High (CVSS 7.5): In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 serious issue exists, if the application is not externally accessible or…
- CVE-2021-22884 — High (CVSS 7.5): Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes…